7JUN

UNC1069 expands the npm WAVESHAPER supply chain

3 min read

10:08UTC

Google's Threat Intelligence Group confirmed two additional npm packages distributing the DPRK-linked WAVESHAPER.V2 backdoor beyond Axios: @shadanai/openclaw and @qqbrowser/openclaw-qbot, picked up through automated dependency resolution on 31 March.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

DPRK-nexus implants spread through transitive dependency resolution, beyond the single maintainer phishing vector.

Google's Threat Intelligence Group (GTIG) confirmed on Monday 11 May 2026 that two additional npm packages, @shadanai/openclaw and @qqbrowser/openclaw-qbot@0.0.130, were distributing the WAVESHAPER.V2 backdoor alongside the previously reported Axios compromise ¹. Both packages picked up the malicious dependency during automated dependency resolution inside the 31 March 2026 injection window attributable to UNC1069, the North Korea-nexus threat cluster. The @qqbrowser/openclaw-qbot package shipped a compromised Axios@1.14.1 inside its own node_modules directory.

UNC1069's original Axios maintainer phishing, disclosed by GTIG and Mandiant on 5 May 2026 , affected Axios versions with approximately 100 million and 83 million weekly downloads. The new finding shifts the blast-radius model. WAVESHAPER.V2 is now reaching install bases that never directly downloaded a compromised Axios version, only a package that resolved to it transitively. For node-based services, the dependency tree two or three layers below the production lockfile is the distribution surface, not the package the developer typed at the command line.

The @shadanai and @qqbrowser namespaces suggest pre-seeded dependency traps rather than a second targeted maintainer compromise. That changes the response cost. Maintainer phishing is a single-incident defence with multifactor authentication and out-of-band credential rotation. Pre-seeded traps require lockfile-level review of every transitive resolution, every time a package updates. WAVESHAPER.V2 is a cross-platform backdoor for Windows, macOS, and Linux; once resolved into a build, it carries the same DPRK-nexus implant capability regardless of which top-level dependency triggered the resolution.

Deep Analysis

In plain English

A North Korea-linked hacking group that had already hidden malware inside a popular JavaScript library called Axios added two more smaller packages to its supply-chain attack on 31 March 2026. Developers who installed these packages unknowingly got the same malware, even if they never directly used Axios.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 31 March 2026 UNC1069 Axios maintainer phishing , where WAVESHAPER.V2 was injected into Axios v1.14.1 and v0.30.4, reaching approximately 183 million combined weekly downloads. The @qqbrowser/openclaw-qbot package ships a compressed copy of that same compromised Axios@1.14.1 inside its own dependency tree, meaning the injection window for these downstream packages runs independently of the Axios maintainer's own remediation.

Counter-parallel: The 2022 event-stream npm package attack, where a malicious contributor gained maintainer rights to a popular library and inserted a targeted payload aimed specifically at BitPay wallets. That attack required human social engineering of an active maintainer. UNC1069's pre-seeded trap approach requires no social engineering of the downstream package maintainers; the malicious payload arrives through automated dependency resolution, not a human decision.

Consensus view: GTIG's discovery that @qqbrowser/openclaw-qbot ships a compromised Axios@1.14.1 inside its own node_modules directory reveals that UNC1069 has moved from a single high-profile phishing event, the Axios maintainer compromise, to a repeatable supply-chain seeding approach that bypasses the need for another maintainer compromise entirely.

Counter-view: Socket Security's research team notes that @shadanai/openclaw and @qqbrowser/openclaw-qbot are low-volume packages relative to Axios's 100-million-weekly-download scale; the transitive blast radius from these packages is orders of magnitude smaller than the original Axios compromise , and the discovery suggests GTIG's monitoring has reached the second and third-tier dependency layer, a positive signal about detection maturity rather than an escalation signal.

Key tension: The shift from maintainer phishing to pre-seeded dependency traps changes the defensive response economics. Multifactor authentication and out-of-band credential rotation address maintainer phishing. Pre-seeded traps require continuous lockfile auditing across every transitive dependency, a cost that open-source projects and small development teams cannot sustain without automated tooling.

Sources:Google Threat Intelligence Group

Mentions:UNC1069 →WAVESHAPER.V2 →Mandiant →Google →North Korea →Axios →@shadanai/openclaw →@qqbrowser/openclaw-qbot →Google Threat Intelligence Group (GTIG) →

First Reported In

Update #4 · AI joins the breach column on both sides

Google Threat Intelligence Group· 20 May 2026

Read original →

Causes and effects

This Event

UNC1069 expands the npm WAVESHAPER supply chain

The Axios compromise was not the blast radius; it was the visible event. Automated dependency resolution is now the distribution layer DPRK actors are aiming at, not the maintainer phishing alone.

Led to

UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing

UNC1069's two additional WAVESHAPER.V2 packages expand the Axios npm supply-chain compromise blast radius beyond the original maintainer phishing vector confirmed in Update #3.

Occurred 5 May 2026

Read story →

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.